Data Classification & Handling Policy
| Property | Value |
|---|---|
| Document ID | POL-005 |
| Version | 1.0 |
| Status | Draft |
| Owner | Chief Information Security Officer (CISO) |
| Last Updated | 2026-01-11 |
| Next Review | 2027-01-11 |
| Related Controls | SOC 2: CC6.1, CC6.5 / ISO 27001: A.8.1-A.8.3 |
1. Purpose
This policy establishes a framework for classifying information assets based on sensitivity and defines handling requirements for each classification level. Proper data classification ensures appropriate protection measures are applied throughout the data lifecycle.
2. Scope
This policy applies to:
- Data Types: All data created, received, processed, or stored by the organization
- Formats: Electronic, paper, verbal, and visual information
- Locations: On-premises systems, cloud services, endpoints, and third-party systems
- Personnel: All employees, contractors, and third parties handling organizational data
3. Data Classification Levels
3.1 Classification Definitions
| Level | Label | Description | Examples |
|---|---|---|---|
| Level 4 | RESTRICTED | Highly sensitive data with severe impact if disclosed | PII, PHI, financial data, credentials, encryption keys |
| Level 3 | CONFIDENTIAL | Sensitive business data with significant impact | Customer lists, contracts, source code, internal reports |
| Level 2 | INTERNAL | Internal use data with limited impact | Policies, procedures, org charts, internal communications |
| Level 1 | PUBLIC | Information approved for public release | Marketing materials, public website content, press releases |
3.2 Classification Criteria
Use the following criteria to determine classification:
| Criterion | RESTRICTED | CONFIDENTIAL | INTERNAL | PUBLIC |
|---|---|---|---|---|
| Regulatory requirement | Yes (GDPR, HIPAA, PCI) | Possible | No | No |
| Financial impact if disclosed | >$100K | $10K-$100K | <$10K | None |
| Reputational impact | Severe | Significant | Limited | None |
| Competitive advantage | Critical | Important | Some | None |
| Legal liability | High | Medium | Low | None |
3.3 Data Types by Classification
RESTRICTED (Level 4)
- Personally Identifiable Information (PII)
- Protected Health Information (PHI)
- Payment Card Data (PCI DSS scope)
- Social Security Numbers / Government IDs
- Financial account numbers
- Authentication credentials and secrets
- Encryption keys and certificates
- Security vulnerability details
- Audit logs containing sensitive data
CONFIDENTIAL (Level 3)
- Customer data (non-PII)
- Employee records (non-PII)
- Source code and intellectual property
- Business strategies and plans
- Vendor contracts and pricing
- Financial reports (internal)
- Security configurations
- System architecture documentation
INTERNAL (Level 2)
- Internal policies and procedures
- Meeting notes and minutes
- Project documentation
- Training materials
- Organizational charts
- Internal communications
- Non-sensitive operational data
PUBLIC (Level 1)
- Published marketing content
- Public website content
- Press releases
- Published documentation
- Public job postings
4. Handling Requirements
4.1 Handling Matrix
| Control | RESTRICTED | CONFIDENTIAL | INTERNAL | PUBLIC |
|---|---|---|---|---|
| Encryption at rest | Required (AES-256) | Required | Recommended | Optional |
| Encryption in transit | Required (TLS 1.2+) | Required | Required | Recommended |
| Access control | Need-to-know, MFA | Role-based | Role-based | Open |
| Logging | Full audit logging | Access logging | Standard logging | Optional |
| Sharing external | Prohibited without approval | Approval required | Case-by-case | Allowed |
| Cloud storage | Approved services only | Approved services | Approved services | Any |
| Printing | Discouraged, secure print | Allowed, collect promptly | Allowed | Allowed |
| Mobile devices | MDM required, encrypted | MDM required | Approved devices | Any |
| Retention | Per legal/regulatory | Per retention schedule | Per retention schedule | No limit |
| Disposal | Cryptographic erasure | Secure deletion | Standard deletion | Standard deletion |
4.2 Storage Requirements
| Classification | Approved Storage Locations |
|---|---|
| RESTRICTED | Encrypted databases, approved cloud (AWS, GCP) with CMK, secrets vault |
| CONFIDENTIAL | Corporate systems, approved cloud services, encrypted endpoints |
| INTERNAL | Corporate systems, approved cloud services, corporate email |
| PUBLIC | Any corporate-approved location |
Prohibited Storage (All Classifications except PUBLIC):
- Personal email accounts
- Personal cloud storage (Dropbox, Google Drive personal)
- Unencrypted removable media
- Personal devices without MDM
4.3 Transmission Requirements
| Classification | Approved Transmission Methods |
|---|---|
| RESTRICTED | Encrypted email, secure file transfer, approved APIs |
| CONFIDENTIAL | Corporate email (TLS), secure file transfer, approved collaboration tools |
| INTERNAL | Corporate email, approved collaboration tools |
| PUBLIC | Any method |
4.4 Labeling Requirements
| Classification | Labeling Requirement |
|---|---|
| RESTRICTED | Header/footer label required on documents; metadata tags in systems |
| CONFIDENTIAL | Header/footer label recommended; metadata tags in systems |
| INTERNAL | "Internal Use Only" recommended |
| PUBLIC | No labeling required |
4.5 Data Retention and Disposal
| Classification | Retention | Disposal Method |
|---|---|---|
| RESTRICTED | Per regulatory requirement or 7 years | Cryptographic erasure, physical destruction |
| CONFIDENTIAL | Per business need or 5 years | Secure deletion (DOD 5220.22-M or NIST 800-88) |
| INTERNAL | Per business need or 3 years | Standard deletion |
| PUBLIC | No limit | Standard deletion |
5. Data Lifecycle Management
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Create/ │───▶│ Classify │───▶│ Store │───▶│ Use │───▶│ Archive │───▶│ Dispose │
│ Receive │ │ │ │ │ │ │ │ │ │ │
└─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘
│ │ │ │ │ │
▼ ▼ ▼ ▼ ▼ ▼
Assign Apply label Approved Access Retain per Secure
owner and controls location controls schedule destruction
5.1 Classification Responsibility
| Data Source | Responsible Party |
|---|---|
| Customer data | Product/Data Team with Legal guidance |
| Employee data | HR with Legal guidance |
| Financial data | Finance with Legal guidance |
| Technical data | Engineering/IT |
| Business data | Business unit owner |
5.2 Reclassification
Data may be reclassified when:
- Regulatory requirements change
- Business need changes
- Data is aggregated or anonymized
- Information becomes public
Reclassification must be documented and approved by data owner.
6. Special Data Categories
6.1 Personal Data (GDPR/Privacy)
Personal data requires additional controls:
- Lawful basis for processing documented
- Data processing agreement with third parties
- Data subject rights procedures (access, deletion, portability)
- Privacy impact assessment for new processing
- Cross-border transfer mechanisms (if applicable)
- Breach notification procedures (72-hour requirement)
6.2 Payment Card Data (PCI DSS)
Payment card data handling:
- Minimize storage of cardholder data
- Never store CVV/CVC codes
- Truncate or mask PANs in display
- Encrypt stored PANs
- Maintain PCI DSS compliance documentation
7. Roles and Responsibilities
| Role | Responsibilities |
|---|---|
| CISO / Security Lead | Define classification framework, oversee compliance |
| Data Owners | Classify data, approve access, define retention |
| Data Custodians | Implement technical controls, maintain systems |
| Legal/Compliance | Advise on regulatory requirements |
| All Employees | Handle data per classification, report incidents |
8. Implementation Checklist
Technical Controls
- Data Loss Prevention (DLP) implemented for RESTRICTED data
- Encryption enforced per classification requirements
- Access controls aligned with classification levels
- Audit logging enabled for RESTRICTED and CONFIDENTIAL
- Data discovery/classification tools deployed
- Secure disposal procedures implemented
Process Controls
- Data inventory/mapping completed
- Classification criteria communicated to all staff
- Data handling training completed
- Retention schedules documented
- Third-party data agreements reviewed
9. Evidence Requirements
| Evidence Type | Description | Location | Retention |
|---|---|---|---|
| Data Inventory | Catalog of data assets with classifications | Data governance tool | Current |
| Classification Training | Records of employee training | LMS | 3 years |
| DLP Reports | Data loss prevention monitoring reports | DLP console | 1 year |
| Disposal Records | Evidence of secure data destruction | Disposal logs | 7 years |
| Access Reviews | Reviews of access to classified data | Access review system | 3 years |
| Encryption Status | Evidence of encryption for classified data | System configs | Current |
10. Related Documents
- Access Control Policy (POL-002)
- Encryption & Key Management Policy (POL-004)
- Backup & Recovery Policy (POL-009)
- Third-Party/Vendor Security Policy (POL-010)
11. Version History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-01-11 | Security Team | Initial release |
12. Approval
| Role | Name | Signature | Date |
|---|---|---|---|
| CISO | _________________ | _________________ | ________ |
| Legal/DPO | _________________ | _________________ | ________ |
This document is classified as INTERNAL. Unauthorized distribution is prohibited.